1 files changed, 41 insertions, 0 deletions

diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
new file mode 100644
index 0000000000..c04b8e72a6
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
@@ -0,0 +1,41 @@
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416640 25200
+# Node ID c125fbe6878395d10f01d891d3c09b1229ada404
+# Parent  09f98816fc8978f1d8623a857073d2d5746f0379
+Don't assume that argv is allocated as a single flat buffer.
+While this is how the kernel behaves it is not a portable assumption.
+The assumption may also be violated if getopt_long(3) permutes arguments.
+Found by Qualys.
+
+diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c
+--- a/src/parse_args.c	Sat Jan 23 08:44:00 2021 -0700
++++ b/src/parse_args.c	Sat Jan 23 08:44:00 2021 -0700
+@@ -614,16 +614,16 @@
+ 	if (argc != 0) {
+ 	    /* shell -c "command" */
+ 	    char *src, *dst;
+-	    size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
+-		strlen(argv[argc - 1]) + 1;
++	    size_t size = 0;
+ 
+-	    cmnd = dst = reallocarray(NULL, cmnd_size, 2);
+-	    if (cmnd == NULL)
++	    for (av = argv; *av != NULL; av++)
++		size += strlen(*av) + 1;
++	    if (size == 0 || (cmnd = reallocarray(NULL, size, 2)) == NULL)
+ 		sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ 	    if (!gc_add(GC_PTR, cmnd))
+ 		exit(EXIT_FAILURE);
+ 
+-	    for (av = argv; *av != NULL; av++) {
++	    for (dst = cmnd, av = argv; *av != NULL; av++) {
+ 		for (src = *av; *src != '\0'; src++) {
+ 		    /* quote potential meta characters */
+ 		    if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$')
+
+